CVE-2024-10282

Name of the Vulnerable Software and Affected Versions: Tenda RX9 and RX9 Pro versions 22.03.02.10 through 22.03.02.20

Description: The issue is related to a stack-based buffer overflow in the sub 42EA38 function, which can be exploited by sending a specially crafted POST request to the /goform/SetVirtualServerCfg endpoint. This can allow a remote attacker to cause a denial of service. The manipulation of the argument list leads to the buffer overflow. The attack can be launched remotely.

Recommendations: For versions 22.03.02.10 through 22.03.02.20, consider disabling the sub 42EA38 function until a patch is available. Restrict access to the /goform/SetVirtualServerCfg endpoint to minimize the risk of exploitation. Avoid using the argument list in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.